Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OS command injection on windows when opening urls #323

Open
tripodsan opened this issue Oct 18, 2023 · 1 comment
Open

OS command injection on windows when opening urls #323

tripodsan opened this issue Oct 18, 2023 · 1 comment
Labels
enhancement help wanted

Comments

@tripodsan
Copy link

it is possible to run os commands when opening urls, eg:

open('https://$(calc.exe)')

opens the default browser, but als runs calc.exe

expected

the url argument should be sufficiently escaped when invoking powershell so that this vulnerability cannot be exploited.
@tripodsan tripodsan mentioned this issue Oct 18, 2023
Closed
@sindresorhus
Copy link
Owner

From the readme:

This package does not make any security guarantees. If you pass in untrusted input, it's up to you to properly sanitize it.

It's almost impossible to make it entirely secure. That being said, I'm happy to merge pull requests to improve the escaping logic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sindresorhus @tripodsan